HTB Academy - SQLMAP ESSENTIALS - Case6 - Non-standard boundaries

Hello,
I’m trying to do the Case6 that requires me to set the correct values on --prefix and --suffix arguments but with no luck.

I tried also by using --level 5 and --risk 3 values hoping that the boundaries were there but of course the exercise pushes me to think or fuzz any possible boundary string.

The structure of my command is:

sqlmap ‘http://142.93.35.92:31459/case6.php?col=id’ -H ‘User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0’ -H ‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8’ -H ‘Accept-Language: en-US,en;q=0.5’ --compressed -H ‘DNT: 1’ -H ‘Connection: keep-alive’ -H ‘Upgrade-Insecure-Requests: 1’ -H ‘Sec-GPC: 1’ -H ‘Cache-Control: max-age=0’ -p col --prefix= --suffix= --level 5 --risk 3 --dbs -v 3

I used different strings for PREFIX and SUFFIX but I guess that they were already injected with that --level and --risk values.
For example, I tried to use:

–prefix="%’))" --suffix="-- -"
–prefix="’ SELECT * FROM users" --suffix="’-- "
–prefix="’" --suffix="-- -"
–prefix="’)" --suffix=";–+"
–prefix “’)” --suffix “AND (SELECT * FROM users”

with no luck.

How can I guess what could be the right boundaries (or atleast if I’m in a good way) if I cannot see the php code containing for example:

$query = “SELECT id,name,surname FROM users WHERE id LIKE ((’” . $_GET[“q”] . “’)) LIMIT 0,1”;

Should I “brute-force” the boundaries?

Thank you in advance

Hello, I found a step forward. I noted if I use in the prefix the ` character, the webpage answers me with

SQL error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘`)’ at line 1

So, the query should have a structure like:

SELECT * FROM `users` WHERE `col = $id…

If I try to use -p col --prefix="%60+%3D+1" --suffix="+--+" --level 5 --risk 3 -v 3, sqlmap says me that the backend dbms looks like MySQL and now, during the UNION test it asks me also:

injection not exploitable with NULL values. Do you want to try with a random integer value for option ‘–union-char’?

I’m not sure if I’m on the right way, even if I cannot still find anything.

UPDATE:
since the error above returns right syntax to use near <query> ` )’ at line 1 (so it adds that `)), I can assume that the statement ends with `), so in the prefix I should place a (`. I tried with different prefixes as “` OR (`” but with no luck.

If I try manually to inject like this:

http://188.166.173.208:31728/case6.php?col=id OR (GROUP BY 1

SQL error: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘’ at line 1

So now, the error is near " character. If this assumption is correct, I guess I should not use --suffix argument… or maybe I’m just complicating the problem…

UPDATE: I found the flag! ^^

how did you get it i am stuck too myself

Hello @jydn879,
you should imagine how the query behind is. You have already id in the URL (because of col=id), so you must close it with the right char. Of course that id cannot stay there “alone”.

If you try to guess the possible SQL query behind, will be easy to get the solution.